Re: Lost EFS Recovery Key for local admin

From: Jim Nugent (nuge@execpc.com)
Date: 04/18/03 

From: "Jim Nugent" <nuge@execpc.com>
Date: Fri, 18 Apr 2003 15:38:00 -0500

I did some more experimenting. I found I could get a File Recovery
Certificate for any user in the Admin group by modifying the instructions in
MSKB article 257705 as follows:

1. delete File Recovery certificates in EDRP and also in DRA's personal
store.
2. unregister sclgntfy.dll
3. restart the computer
4. log on as the intended DRA. the certificate will be there.
5. register sclgntfy.dll

I had been suspicious of the effectivity of these lines back-to-back:
regsvr32 -u sclgntfy.dll
regsvr32 sclgntfy.dll
with nothing happening in between. Seem like a no-op. I don't know how MS
came up with that one.

Somehow in my horsing around before the other posting I believe I tried it
with the restart. That's why I got the certificate.

Anyway, my modified procedure worked for any user except built in
Administrator. I found the this account had somehow acquired a mandatory
profile. Oops. Fixing that allowed the built in Administrator to get a
certificate. Along the way I created separate account called 'recovery'
which is currently the DRA. Advantage of this plan is that the account is
used for NOTHING else.

Advantage of using built in Administrator would be that the accont cannot be
deleted, and will always be there on a fresh install. (Though I'd have to
replace the "new" certificate with the "old" one to use it to recover
existing files. 

--
Jim
"Remember, an amateur built the Ark; professionals built the Titanic."
"Jonathan" <jonsteph@nospam.carolina.rr.com> wrote in message
news:1l6s9v0961fh8fu16iqohbrqb9820eagmh@4ax.com...
> After following this article, the first administrator-level account to
> logon becomes the Recovery Agent. Since your account is in the
> Administrators group, it qualifies. If you want the local
> Administrator account to be the Recovery Agent, log on with that
> account after reinitializing the EDRP.
>
>  -- Jonathan
>
> On Wed, 16 Apr 2003 06:54:18 -0500, "Jim Nugent" <nuge@execpc.com>
> wrote:
>
> >Thank you!! The procedure in article 257705 did not appear to be working
at
> >first, but then I discovered it was generating a File Recovery
Certificate
> >and putting it under my personal account which is in the Administrators
> >group but is not the builtin Admin account. I have no idea why, but at
least
> >I have a valid certificate now. I had to log in as local Administrator to
> >create my account. Is there a way to change the system's notion of who
gets
> >the put in in the EDRP?
> >
> >Anyway, that's a great trick to know for Windows 2000!
> >Thank you again!
>